CMMC Compliance
CMMC Incident Response Plan: Requirements, Testing, and a Free Template
Already dealing with a live incident?
If a cyber incident may affect a covered contractor information system, Covered Defense Information (CDI), or your ability to perform contract work designated as operationally critical support, the DFARS 252.204-7012 reporting clock may already be running — 72 hours from discovery. The legacy DIBNet portal was retired June 6, 2025; reports now go through DC3’s Incident Collection Format (ICF). Do not submit CUI, incident indicators, or contract details through this site. See our DFARS 7012 incident reporting guide for the current filing path.
A CMMC incident response plan is the written, tested capability a defense contractor uses to detect, analyze, contain, recover from, report, and test its response to cyber incidents that touch Controlled Unclassified Information (CUI). For CMMC Level 2, it has to satisfy three NIST SP 800-171 Revision 2 controls — 3.6.1, 3.6.2, and 3.6.3 — and, on any contract carrying DFARS 252.204-7012, it has to operationalize a hard 72-hourcyber-incident reporting deadline. The plan that passes an assessment is not the longest or the most polished — it’s the one whose process your people can demonstrate and whose evidence you can produce.
What changes the answer is your CMMC level and your contract clause. Level 1 (Federal Contract Information only) has no incident response control. Level 2 (you handle CUI) requires all three. Level 3 layers on enhanced requirements from NIST SP 800-172. The contract clause sets your level — not a checklist, and not us. Below, we map each control to the exact plan section that satisfies it, show what a C3PAO (CMMC Third-Party Assessment Organization) examines, and give you the complete plan structure for free.
Who needs a documented, tested IR plan — and who doesn’t:
- You do if you’re pursuing CMMC Level 2 (you store, process, or transmit CUI), or your contract carries DFARS 252.204-7012(the “safeguarding and cyber incident reporting” clause).
- You may not need the full IR domain if you’re strictly Level 1 — Federal Contract Information only, no CUI, no 7012 clause. Basic reporting hygiene still matters, but the three IR controls below are a Level 2 obligation.
The 30-second version
| If you need to prove… | Map it to… | Keep this evidence |
|---|---|---|
| An operational incident-handling capability | NIST 800-171 3.6.1 / IR.L2-3.6.1 | The plan, named roles, reporting intake, incident tickets, training records |
| That you track, document, and report incidents | NIST 800-171 3.6.2 / IR.L2-3.6.2 | Incident log, notification matrix, internal + external report records |
| That the capability was tested | NIST 800-171 3.6.3 / IR.L2-3.6.3 | Tabletop scenario, attendee list, notes, after-action report, corrective actions |
| DFARS reporting readiness | DFARS 252.204-7012 | 72-hour workflow, medium assurance certificate owner, evidence-preservation plan |
What does CMMC require for incident response?
Incident Response is one of the 14 control families in NIST SP 800-171 Rev. 2, which contains 110 security requirements in total. CMMC Level 2 maps to all 110 (NIST SP 800-171 Rev. 2). The IR family is the second-smallest — just three requirements — which is exactly why it gets underbuilt and why it generates findings out of proportion to its size.
The three controls, in NIST’s own words:
IR.L2-3.6.1 — Incident Handling
“Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”
In practice: a real, running capability — not a binder — that covers the full lifecycle and that your people know how to use.
IR.L2-3.6.2 — Incident Reporting
“Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.”
In practice: an incident log, a named list of who you notify inside the company, and a defined list of external authorities — including DoD, when DFARS 252.204-7012 applies.
IR.L2-3.6.3 — Incident Response Testing
“Test the organizational incident response capability.”
In practice: a documented exercise — usually a tabletop — with a date, participants, a scenario, findings, and corrective actions.
The evidence map (what a C3PAO examines, interviews, and tests)
A C3PAO evaluates every requirement using three assessment methods defined in NIST SP 800-171A: examine (review your plan, policies, logs, and records), interview (ask your people how it works), and test (watch the capability operate). The IR family breaks into 14 discrete assessment objectives across the three controls.
| Control | Assessment objectives | How it’s checked | The plan section that satisfies it |
|---|---|---|---|
| IR.L2-3.6.1 (7 objectives) | Capability is established; includes preparation, detection, analysis, containment, recovery, and user-response activities. | Examine the plan/procedures; interview responders; review evidence the process ran. | Lifecycle sections + roles + severity scheme |
| IR.L2-3.6.2 (6 objectives) | Incidents are tracked; documented; external authorities identified; internal officials identified; authorities and officials are notified. | Examine the incident log and reporting matrix; interview on who gets called and when. | Incident tracking/log + internal & external reporting matrix (incl. DoD 72-hour report) |
| IR.L2-3.6.3 (1 objective) | The incident response capability is tested. | Examine test records — date, scenario, participants, findings, corrective actions. | Testing & exercise procedure + retained tabletop records |
Which incident response controls can you put on a POA&M?
This is the single most consequential fact about the IR domain, and almost no page states it. When you self-assess against NIST SP 800-171, you post a score to the Supplier Performance Risk System (SPRS). You start at 110and subtract the weighted value of every requirement you haven’t fully implemented. Two of your three IR controls are worth 5 points each— and they’re not POA&M-eligible.
| Control | What it covers | SPRS point value | POA&M-eligible? |
|---|---|---|---|
| IR.L2-3.6.1 | Incident handling capability | 5 points | No — must be fully implemented |
| IR.L2-3.6.2 | Tracking, documenting, reporting | 5 points | No — must be fully implemented |
| IR.L2-3.6.3 | Testing the capability | 1 point | Yes (1-point controls only) |
The CMMC Program Rule (32 CFR Part 170) allows a conditional Level 2 status only if you score at least 88 of 110 (80%), meet all “critical” requirements, and close every POA&M item within a maximum of 180 days. Because 5-point and 3-point controls are barred from the POA&M, the practical translation is blunt: you cannot certify — not even conditionally — with your incident-handling and incident-reporting controls unimplemented. That reframes the whole “IR is just three small controls” instinct. Two of them are pass/fail gates on your certification. Treat them that way.
The DFARS 252.204-7012 72-hour rule — the part most plans underbuild
Both are straightforward to stage before an incident — but they are not details you want to be discovering after the clock starts. DFARS 252.204-7012 applies to any contract involving Covered Defense Information (CDI) — the DFARS term for controlled technical information and other CUI tied to contract performance. When the clause is in your contract, five duties attach to any reportable cyber incident:
| Obligation | What the clause requires | The detail that catches people | Clause reference |
|---|---|---|---|
| Rapidly report | Report the cyber incident to DoD. | “Rapidly report” is defined as within 72 hours of discovery. No grace period for investigation or approvals. | 7012(c) |
| Medium assurance certificate | You must have one to submit a report. | Provisioning takes time; ECA vendors include IdenTrust and WidePoint. Get it now. | 7012(c)(3) |
| Malicious software | Submit isolated malware discovered in the incident. | Send it to the DoD Cyber Crime Center (DC3) — not to the Contracting Officer. | 7012(d) |
| Preserve evidence | Preserve images of affected systems and relevant monitoring/packet-capture data. | For at least 90 days from submission of the incident report. | 7012(e) |
| Flow down | Include the clause in subcontracts involving CDI. | Subs report directly to DoD and notify the next higher tier. | 7012(m) |
Where do you actually file now? (verified July 2026)
| Question | What DFARS 252.204-7012 says | Operationally current (July 2026) | What your plan should do |
|---|---|---|---|
| Where do you file? | References reporting at dibnet.dod.mil | Legacy DIBNet portal retired June 6, 2025; dibnet.dod.mil redirects to DC3’s DCISE page; reports filed through the Incident Collection Format (ICF) at icf.dcise.cert.org. | Reference both DIBNet and the ICF; verify current DC3/DCISE instructions before filing. |
| What do you need to access it? | A DoD-approved medium assurance certificate | A CAC or ECA medium assurance certificate is required. If you don’t have one, contact DC3/DCISE for assistance. | Obtain the certificate in advance; keep the DC3/DCISE contact path in your plan. |
| How does the report reach DoD? | The report includes required elements | Complete the ICF, which generates an .xml file submitted to DC3 via encrypted email or DoD SAFE; DC3 assigns an incident number. | Pre-stage identifiers and owners so the ICF can be completed fast. |
| How long must you preserve evidence? | At least 90 days from submission | Unchanged — preserve images and relevant monitoring/packet-capture data for 90 days. | Preserve images, logs, packet capture, and any isolated malware. |
The sequence a real incident demands
The instinct after finding ransomware or unauthorized access is to contain and restore fast. That instinct is right operationally, but it collides with your preservation duty. Your plan should encode a preserve-before-you-rebuild discipline:
- 1Contain or isolate the affected system to limit damage, where it's safe to do so.
- 2Preserve and protect images of affected systems and relevant monitoring/packet-capture data before destructive remediation.
- 3Report the incident through the current DC3/DCISE ICF process within 72 hours, when DFARS 252.204-7012 applies.
- 4Then finish eradication and recovery — while keeping the required evidence intact.
One reassurance worth knowing
Reporting an incident is not, by itself, an admission that you failed. DFARS states that a cyber incident report “shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate security” or otherwise failed to meet the clause (DFARS 204.7302(d)). Report on time and document honestly — the protection is real, but it doesn’t cover an inaccurate SPRS score, which is where False Claims Act exposure lives. And the CMMC Final Rule did not repeal the cyber clause: DFARS 252.204-7012 remains active and keeps its 72-hour reporting, malicious-software, and preservation duties. Full DFARS 252.204-7012 clause breakdown →
What to put in your CMMC incident response plan
The lifecycle in sections 4–8 follows the four-phase model most practitioners use — Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity — which comes from NIST’s incident-handling guidance, NIST SP 800-61 (updated to Revision 3 in 2025). Note that 800-61 is guidance, not a CMMC requirement — 3.6.1 itself already lists the lifecycle elements you must cover.
- 1Purpose and scope — the systems, users, cloud services, and enclaves that process, store, or transmit CUI (your assessment boundary). (3.6.1)
- 2Definitions — event vs. incident vs. reportable cyber incident under DFARS 7012. Getting this line right prevents both over-reporting and missed reports. (3.6.1 / 7012)
- 3Roles and responsibilities — a named, accountable incident lead (a role with an owner, not just 'the IT team'), plus IT/security, executive sponsor, legal/contracts, HR, communications, data owner, and prime/customer contact. (3.6.1[a])
- 4Preparation — tools, logging, training, and the reporting channels that let users and systems flag trouble. (3.6.1)
- 5Detection & analysis — how alerts become incidents, and how you determine whether CUI/CDI is affected. (3.6.1)
- 6Containment, eradication & recovery — isolation, who has authority to pull a system offline, backup validation, and restore approvals. (3.6.1)
- 7Reporting matrix — internal officials and external authorities, including the 72-hour DC3/DCISE report and the named person who owns filing it. (3.6.2[c]–2.6.2[f] + 7012)
- 8Evidence preservation & forensic imaging — the contain → preserve → report → recover sequence and 90-day retention. (7012(e))
- 9Malicious software handling — isolate and submit to DC3. (7012(d))
- 10Incident tracking / the incident log — the record for every incident: what, when, who, systems affected, CUI involvement, actions, outcome. (3.6.2[a]–[b])
- 11Testing & exercise procedure — the cadence and format for tabletops, and what you capture. (3.6.3)
- 12Plan maintenance & version control — review cadence, approver, distribution, revision history.
- 13Appendices — contact tree; a certificate + ICF reporting readiness checklist; the incident report form; and a tabletop scenario library.
Can you use a CMMC incident response plan template?
The structure in the previous section is a working template. The failure mode we see is contractors treating a downloaded document as the deliverable, when the deliverable is the operating capability the document describes. Walk away from any template that:
- claims to be “CMMC compliant” without mapping to 3.6.1 / 3.6.2 / 3.6.3;
- never mentions CUI or CDI;
- omits DFARS 252.204-7012;
- doesn’t identify external reporting authorities;
- has no testing section or after-action report; or
- uses old CMMC 1.0 practice IDs (the “17 domains” model) without a current mapping.
What a C3PAO actually checks in your incident response domain
The CMMC Assessment Guide — Level 2 confirms the same guide supports both self-assessment and certification assessment, and that your scope has to be defined before the assessment starts. Here’s what each method looks like in the IR domain.
Examine
- Incident response policy and the plan itself
- Procedures/playbooks
- The incident log and any past reports
- Tabletop materials and the after-action report
- Training records
- Your System Security Plan (SSP) references to the IR controls
Interview
- Incident lead can describe escalation
- Users know how to report suspicious activity
- IT/security knows how an alert becomes an incident
- Legal/contracts knows when DFARS 7012 may apply
- Leadership knows who authorizes external reporting
Test
- The alert-to-incident and ticket workflow
- The contact tree
- Retrieving evidence on demand
- Walking a tabletop scenario end to end
How to test your plan so 3.6.3 passes
Does CMMC require a tabletop specifically?
No. The control text says “test the organizational incident response capability.” A tabletop is the most common and defensible method for small and mid-size contractors, but NIST SP 800-171 Rev. 2 lists checklists, walkthrough/tabletop exercises, simulations, and comprehensive exercises as options. Pick the method you can execute and evidence.
Does a phishing test count?
By itself, usually not. A phishing simulation tests awareness and detection — it answers “will someone click?” The IR control asks a different question: then what?Did the report reach the incident lead, did triage happen, was the CUI-impact call made, did the reporting decision get logged? If your only evidence is a click-rate report, you’ve tested the front door and skipped the whole house. Run the “then what” workflow and document it.
Cadence
The control doesn’t fix a specific frequency. An annual exercise, plus a fresh test after a major system change or a real incident, is a defensible cadence — but set it in your policy and then actually hold to it. (This cadence is our editorial recommendation, not a NIST-mandated interval.)
Starter scenarios that map to DIB reality
| Scenario to run | Controls exercised | Evidence to capture |
|---|---|---|
| Spoofed email leads to credential compromise | 3.6.1, 3.6.2, 3.6.3 | Ticket, escalation log, CUI-impact decision, after-action report |
| Lost laptop that may hold CUI | 3.6.1, 3.6.2, DFARS 7012 triage | Device record, data-owner decision, reporting decision |
| Ransomware on a file server or cloud file store | 3.6.1, 3.6.2, DFARS 7012(e) | Containment record, image/log preservation, ICF reporting decision |
| A subcontractor reports a CDI incident | 3.6.2, DFARS 7012(m) | Incident report number, prime-notification record |
Your after-action report should capture: date, scenario, participants, systems in scope, the CUI/CDI-impact decision, the reporting decision, actions taken, evidence produced, gaps found, corrective actions with owners and due dates, and closure. That document is your 3.6.3 evidence. Need scenarios? CISA publishes free tabletop exercise packages you can adapt.
How incident response differs by CMMC level
| Level | Data in scope | Incident response obligation | Assessment type |
|---|---|---|---|
| Level 1 | Federal Contract Information (FCI) | No dedicated IR control among the 15 FAR 52.204-21 safeguards. But any contract with DFARS 252.204-7012 still triggers the 72-hour reporting duty. | Annual self-assessment |
| Level 2 | Controlled Unclassified Information (CUI) | The full IR domain: 3.6.1, 3.6.2, 3.6.3, plus operationalizing DFARS 7012. | Self-assessment or C3PAO, set by the contract clause |
| Level 3 | Highest-sensitivity CUI / APT-relevant programs | Level 2 plus a subset of NIST SP 800-172 enhanced requirements. | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) |
Do you need an RPO, MSSP, GRC platform, or C3PAO for incident response?
| If your gap is… | Consider this category | What to verify before you hire |
|---|---|---|
| The plan is generic or not mapped to CMMC | RPO / RP (Registered Provider Organization / Registered Practitioner) or virtual CISO | CMMC experience, scoping method, how they map evidence to objectives |
| You can’t detect or respond operationally | MSSP / SOC / managed detection | Whether they cover your CUI boundary, log sources, escalation SLAs, evidence exports |
| Your evidence is scattered | GRC platform (governance, risk, compliance software) | SSP/POA&M linkage, ticketing, audit trail, exportability — software organizes evidence; it doesn’t satisfy CMMC on its own |
| You may have a real incident | Incident-response retainer + counsel | Forensics capability, privilege strategy, DFARS 7012 experience |
| You’re assessment-ready | C3PAO | Current Cyber AB Marketplace status, independence, assessment scope |
What to do if you find a possible incident before your plan is ready
First hour
- Stop further damage where it's safe to do so.
- Preserve logs — do not delete, reimage, or alter systems without guidance.
- Identify affected systems and accounts.
- Determine whether CUI/CDI may be involved.
- Notify your incident lead and legal/contracts.
First 24 hours
- Determine whether DFARS 7012 applies to the affected contract.
- Pull your contract identifiers (contract number, CAGE code, UEI).
- If your reporting access or certificate isn't ready, contact DC3/DCISE — don't let a login problem eat your 72 hours.
- Stage the ICF fields; preserve affected images, logs, and packet capture.
- Record your timeline and every decision.
How we built this
We wrote this page the way we write every page — by reading the primary sources ourselves and refusing to state a requirement without one. This is editorial decision support, not legal, contractual, or compliance advice.
What we verified ():
- NIST SP 800-171 Rev. 2 §3.6.1–3.6.3 — The three IR controls and their text.
- NIST SP 800-171A + CMMC Assessment Guide L2 — The examine/interview/test methods and the 14 assessment objectives.
- DoD Assessment Methodology v1.2.1 + 32 CFR §170.21 — The 5/5/1 point values and the rule that 5-point controls can't be POA&M'd.
- DFARS 252.204-7012 (Acquisition.gov + eCFR) — The 72-hour deadline, medium assurance cert, DC3 malware submission, 90-day preservation.
- DC3 DCISE + DFARS PGI 204.7303-3 — DIBNet retired June 6, 2025; reporting moved to DC3/DCISE ICF.
- DFARS 204.7302(d) — A report is not, by itself, evidence of a security failure.
- 32 CFR §170.4 + §170.9 — C3PAO conflict-of-interest rules.
- Federal Register + 32 CFR Part 170 — Level 2 uses NIST SP 800-171 Rev. 2; rule timing; Phase 1 through Nov. 9, 2026; Phase 2 begins Nov. 10, 2026.
Frequently asked questions
What are the CMMC incident response requirements?
For CMMC Level 2, the incident response requirements are NIST SP 800-171 Rev. 2 controls 3.6.1 (incident handling), 3.6.2 (incident reporting), and 3.6.3 (incident response testing). Together they require a documented, operational, and tested incident response capability.
Is an incident response plan required for CMMC Level 2?
Yes in practice. Level 2 requires an implemented and tested incident response capability, and the CMMC Assessment Guide lists the incident response plan and related records as evidence a C3PAO can examine. A documented plan is the standard way to organize and prove that capability. Level 1 (FCI only) has no dedicated incident response control.
Can the incident response controls go on a POA&M?
Controls 3.6.1 and 3.6.2 cannot — they are worth 5 points each in the DoD Assessment Methodology, and 5-point controls are barred from a POA&M, so they must be fully implemented for even conditional certification. Only 3.6.3 (1 point) is POA&M-eligible and must be closed within the 180-day conditional window.
What must be reported within 72 hours under DFARS 252.204-7012?
Any cyber incident affecting a covered contractor information system, the Covered Defense Information on it, or the contractor's ability to perform operationally critical support. Reports are filed within 72 hours of discovery through the DoD Cyber Crime Center's DCISE using the Incident Collection Format (ICF).
Where do I report a cyber incident now that DIBNet is gone?
The legacy DIBNet portal was retired on June 6, 2025. Reports now go through DC3/DCISE using the Incident Collection Format: complete the ICF, submit the generated file to DC3 via encrypted email or DoD SAFE, and DC3 assigns an incident number. Isolated malicious software goes to DC3, not the Contracting Officer. Verify current DC3/DCISE instructions before filing.
Does a medium assurance certificate matter, and how do I get one?
Yes — you need a DoD-approved medium assurance certificate (a CAC or ECA) to reach the reporting portal. Obtain it in advance from a DoD-approved External Certification Authority; if an incident hits before you have one, DC3/DCISE provides a contact path for reporting assistance.
Does my incident response plan affect SPRS or DFARS 252.204-7019 / 252.204-7020?
Indirectly, yes. The IR controls affect your NIST SP 800-171 / CMMC Level 2 score because 3.6.1 and 3.6.2 are 5-point controls and 3.6.3 is a 1-point control. Under DFARS 204.7302(b) and DFARS 252.204-7019, a contracting officer verifies a current NIST SP 800-171 DoD Assessment score is posted in SPRS before award, option exercise, or extension when NIST SP 800-171 is required. DFARS 252.204-7020 covers DoD assessment access and subcontractor flow-down.
Does CMMC require a tabletop exercise?
CMMC requires testing the incident response capability (control 3.6.3). A tabletop is the most common accepted method, but NIST also recognizes checklists, walkthroughs, simulations, and comprehensive exercises. The test must be documented.
Does a phishing test count as incident response testing?
Not by itself. A phishing simulation tests awareness and detection, while the incident response control asks whether your response process works after an event — triage, escalation, the CUI-impact decision, the reporting decision, and recovery. Document that workflow, not just a click rate.
What is the difference between CUI and CDI in the plan?
CUI (Controlled Unclassified Information) is the broad government-wide category. CDI (Covered Defense Information) is the DFARS 252.204-7012 term for controlled technical information and other CUI tied to DoD contract performance. Your plan should account for both, because CMMC and DFARS use related but distinct terms.
Can a C3PAO help write my incident response plan?
Be careful. A firm that provided your readiness or consulting work generally cannot also serve as the C3PAO that certifies you, under the conflict-of-interest rules in 32 CFR §170.9 and the CMMC Assessment Process. Keep readiness help and formal assessment separate to protect your certification.
Does CMMC replace DFARS 252.204-7012?
No. They are separate obligations that operate together. CMMC verifies your NIST SP 800-171 implementation; DFARS 252.204-7012 imposes the 72-hour cyber incident reporting duty, and it continues to apply.
Choose the right CMMC path before you hire
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
More from The Defense Compliance Report
- CMMC Final Rule timeline
- CMMC Level 2 requirements — all 110 controls
- CMMC provider categories: who to hire first
- DFARS 7012 incident reporting: 72-hour DoD checklist
- Full DFARS 252.204-7012 clause breakdown
- 32 CFR Part 170 CMMC Program Rule explainer
- Managed detection and response (MDR) for CMMC
- Methodology
- Editorial Standards
- Corrections Policy